Escher Auernheimer, a member of Goatse Security, said in a statement Monday that AT&T “f***ed up” when it deployed a Web application that contained logic flaws. The application itself was the reason the security firm was able to access more than one-hundred thousand iPad owner’s email addresses.
In a response to a letter sent to AT&T’s customers this weekend, where the company apologized for the email incident and any inconvenience it may have caused, Goatse Security member Escher Auernheimer said:
“You f---ed up, we helped you that figure [sic] out and informed the public. You should thank us, but you can keep on sh**-talking if you want. We know what we did was right.” [Link]
On Friday, The Tech Herald reported on a story from Gawker Media detailing a Web application flaw on AT&T’s site that exposed 114,000 email addresses, some of which belonged to heavy hitters in both news and politics (the original story is here and the update is here).
After the Gawker story broke, there was a lot of attention from the media as well as the FBI. On Sunday, AT&T issued an apology letter to customers about the incident that contained some interesting comments aimed at Goatse Security.
In the letter, AT&T called Goatse’s actions malicious, referring to the group as “hackers” who had exploited a function designed to make customer’s iPad log-ins faster, “...by pre-populating an AT&T authentication page” with the email address used to register the iPad to their 3G service.
As we mentioned in another story (link), the explanation given by AT&T in its official letter clearly describes a logic flaw.
“The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity,” AT&T explained.
This point was specifically addressed by Auernheimer in Goatse’s answering statement.
“I'll tell you this, the finder of the AT&T email leak spent just over a single hour of labor total (not counting the time the script ran with no human intervention) to scrape the 114,000 emails. If you see this as 'great efforts', so be it.”
As for the disclosure method itself, AT&T has said that Goatse never contacted it to report the vulnerable Web application. This has led some to calling Goatse unethical.
However, Goatse indirectly contacted AT&T through a third-party. This third-party is the same business customer AT&T has made mention of in both its letter to customers and press statements.
“If not for our firm talking about the exploit to third parties who subsequently notified them, they would have never fixed it and it would likely be exploited by the RBN or the Chinese, or some other criminal organization or government (if it wasn’t already),” Auernheimer noted.
“AT&T had plenty of time to inform the public before our disclosure. It was not done. Post-patch, disclosure should be immediate -- within the hour. Days afterwards is not acceptable ...even in this disclosure, which I feel they would not have made if we hadn’t publicized this vulnerability, AT&T is being dishonest about the potential for harm.”
The potential for harm, as Auernheimer pointed out, includes an exploit targeting a vulnerability in Safari on the iPad that has been around for more than two months now. If leveraged, the vulnerability would turn the device into a Spam drone, a wordlist-based logon cracker for networks, or even a relay for payloads to arbitrary daemons.
The exploit was patched for OS X, but is quite functional on the iPad. It centers on Integer Overflows, where if an attacker wanted to bypass port blocking, all they would need to do is add '65,536' to whatever port they wish to target. For example, if they wanted to Spam people, they'd take '25 + 65,536' and target port '65,561'.
“The kicker is that this attack cannot be detected by any current IDS/IPS system. We released this in March, mind you, and Apple still hasn’t got around to patching this on the iPad! I know through personal experience that the patch time for an iPad vulnerability is over two months and counting,” Auernheimer said.
If you play the numbers, this exploit likely isn’t the only one for Apple’s newest device. It’s just publically known.
“AT&T is not highlighting the potential for a skilled attacker to use a Safari exploit, or other iPad application exploit based on this dataset to takeover the iPad. A complete list of iPad 3G customers (which could have been generated from this vulnerability) would have the ideal bit of data for those in the RBN with zero-day Safari exploits to acquire.”
“Given that, the number of parties which probably have active iPad exploits likely numbers in the hundreds, if not the thousands. The iPad simply is not a safe platform for those that require a secure environment,” Auernheimer said.
In conclusion to the public answer to AT&T’s letter, Auernheimer said that Goatse did what it did as a service to the nation.
“We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare. We understand that good deeds many times go punished, and AT&T is trying to crucify us over this. The fact remains that there was not a hint of maliciousness in our disclosure. We disclosed only to a single journalist and destroyed the data afterward. We did the right thing, and I will stand by the actions of my team and protect the finder of this bug no matter what the cost.”
When asked if it had any comments on Goatse’s statement addressing its official letter, AT&T said, “No. Our letter speaks for itself.”